// security research blog

Real Bugs.Real Bounties.

Case studies, vulnerability writeups, and penetration testing insights from active bug bounty research across 100+ programs.

Recent Writeups

Hand-picked findings from real bug bounty engagements. Every step reproducible, every disclosure responsible.

Fundamentals
Guide

Penetration Testing vs Vulnerability Assessment: What's the Difference?

A vulnerability assessment finds weaknesses; a penetration test proves which ones an attacker can actually exploit. Here's the real difference, and why "VAPT" means doing both.

Hassan Jawaid June 2026 ~10 min read
Fundamentals
Guide

What Is Security Testing? Types, Process & Why It Matters

A complete, plain-English guide to security testing: what it is, why your clients and auditors require it, the main types (VAPT, SAST, DAST, pentesting), who performs it, and how to get started.

Hassan Jawaid June 2026 ~11 min read
Application Security
Guide

SAST vs DAST vs Black Box: Application Security Testing Explained

SAST reads your code, DAST attacks your running app, black-box testing simulates an outside attacker. A plain-English guide to the acronyms, and when to use each.

Hassan Jawaid June 2026 ~10 min read
API Security
Guide

What Is API Security Testing? (And Why APIs Are the New Front Door)

APIs now carry most of an application's real attack surface. What API security testing is, what gets tested by hand, and why it differs from testing the web UI in front of it.

Hassan Jawaid June 2026 ~9 min read
Web Security
Guide

Web Application Security Testing: What It Is & How It's Done

What web application security testing actually is, what gets tested, and the step-by-step process a manual web pentest follows, from recon to a report your client's auditor will accept.

Hassan Jawaid June 2026 ~10 min read
Methodology
Pre-Engagement

The Scoping Call: 17 Questions We Ask Before Quoting

Before we send a pentest quote, we get on a 30-minute scoping call and work through 17 questions. Here are all of them, why each one matters for accurate pricing, and the questions you should ask us back.

Hassan Jawaid June 2026 ~8 min read
Methodology
Testing Process

Inside Our 5-Day Web Pentest: A Day-by-Day Breakdown

What are we actually doing for those five days? An hour-by-hour, day-by-day breakdown of a real web application engagement: recon, auth testing, business logic, reporting, and the included re-test.

Hassan Jawaid May 2026 ~11 min read
Reporting
Security Audit & Reporting

What a SOC 2-Ready Pentest Report Contains (With a Sample TOC)

A SOC 2-ready pentest report isn't a Nessus PDF. Here's the actual table of contents we deliver, what each section contains, and why your overseas client's auditor wants every part of it.

Hassan Jawaid May 2026 ~10 min read
For Software Houses
Compliance

SOC 2 vs ISO 27001 vs "Just a Pentest"

Your client says "send your SOC 2" or "do you have ISO 27001" or "just send a pentest". They're three completely different things. Here's how to tell which one your client actually needs, with rough costs and timelines.

Hassan Jawaid April 2026 ~9 min read
Network Security
Internal Network

Why Your Office Wi-Fi Is the Cheapest Way Into Your Production Servers

Most software houses keep production credentials on dev laptops sitting on the office Wi-Fi. Here's the path a network pentest walks (guest Wi-Fi to production database) and how to close it.

Hassan Jawaid April 2026 ~10 min read
For Software Houses
Plain English

Your US Client Asked for a "VAPT Report". Here's What They Want.

A US, UK, or EU client just emailed asking for a "VAPT report" before they sign. Here's exactly what they want, what their security team will look at first, and what to send back.

Hassan Jawaid March 2026 ~9 min read
Cloud Security
AWS Audit

The 7 AWS Misconfigurations We Find in Almost Every Startup Audit

Public S3 buckets, over-permissive IAM, exposed metadata, world-open security groups. Seven AWS misconfigurations we find on nearly every cloud audit, and how to fix each in under a day.

Hassan Jawaid March 2026 ~11 min read
API Security
CTO Guide

OWASP API Top 10 for Non-Security CTOs: The 4 That Actually Matter

If your product is a React front end on a REST or GraphQL backend, the API Top 10 maps to your real attack surface better than the web list. Here are the four categories that cause most of the damage.

Hassan Jawaid February 2026 ~10 min read
Web Security
OWASP Top 10

OWASP Top 10 in Pakistani SaaS: What Each Bug Actually Looks Like

The OWASP Top 10 reads like a textbook. Here's what each item actually looks like in real Pakistani SaaS products we've tested (HR platforms, fintechs, logistics dashboards) and what to fix first.

Hassan Jawaid February 2026 ~12 min read
Mobile Security
Android

Hardcoded API Keys in Android Apps: A 5-Minute Audit Any Dev Can Do

About 7 of 10 Android apps we test ship with an API key, AWS secret, or token baked into the binary. Here's the exact 5-minute audit we run on your APK, so you can clean it up before we even start.

Hassan Jawaid January 2026 ~9 min read
P2 · High
Subdomain Takeover

Subdomain Takeover via Yumpu Misconfiguration

A dangling CNAME pointing at an orphaned Yumpu publication on a redacted target let me reclaim a trusted subdomain and serve content under its TLS cert. Full recon-to-report walkthrough.

Hassan Jawaid April 2025 ~8 min read
P2 · Multi-program
MFA / 2FA Security

MFA Bypass Techniques from Real Bug Bounty Cases

Eleven real-world MFA bypass vulnerabilities: rate-limiting flaws, response manipulation, OAuth bypasses, session race conditions, and a pre-auth phone number leak via XML content-type switching.

Hassan Jawaid Dec 2024 ~15 min read

Older writeups live on Hassan's Medium. Native posts on this site will continue to expand as new disclosures clear their embargo windows.

Need this kind of testing on your stack?

The same recon and exploitation mindset that surfaces these public findings powers every VAPT.PK engagement.